Angry Birds is quite chatty with players' personal information, according to an in-depth analysis by FireEye.

The Android version of Angry Birds available on Google Play, last updated March 4, shares personal information such as age, gender and address along with device information with multiple parties, according to a blog post by FireEye researchers Jimmy Su, Jinjian Zhai, and Tao Wei. Users who play the game without a Rovio account are also sharing information about their devices without realizing it, the post said.

This isn't the first time Rovio, the developers behind the very popular Angry Birds apps, has been shown to share user data a little too widely. In January, a joint report from The New York Times, ProPublica and the Guardian revealed government agencies such as the National Security Agency could tap the game and other similar mobile apps to harvest user data. While previous reports had focused on older versions or "special editions" of the game, the FireEye team found that widespread sharing occurs in multiple versions, including the latest "classic" version, Angry Birds 4.1.0.

With more than 2 billion downloads of Angry Birds so far, and more than a quarter billion users who create Rovio accounts, "this sharing affects many, many devices," the researchers wrote.

What Kind of Sharing?Rovio encourages users to create user accounts to save scores, in-game objects, and to be able to swap devices mid-game. Registration asks for date of birth, gender, and email. Players can also subscribe to the newsletter, which asks for email, name, country of residence, and gender. The information is aggregated into a single profile by matching the email address.

FireEye determined that data flows from the Angry Birds app, Angry Birds Cloud, and advertising mediation platform and library Burstly. Third party advertising networks Jumptap and Millennial Media obtain the information from Burstly to display targeted ads. Angry Birds also uses Skyrocket, an app monetization service from Burstly.

Burstly adds a unique customer identifier to the data it gathers and makes it available to a number of other advertising networks—not just Jumptap and Millenial Media. Along with personal data, device information (including Android and device identifiers), MAC and IP addresses, and the hardware make and model were also being transmitted. At this point, the user has no idea, or control over, who has this information, FireEye noted.

Researchers were also concerned over the fact the information was being transmitted over HTTP, in plaintext or in "easily decrypted formats," according to the post.

Leaky, Leaky AppsRovio's privacy policy clearly says the company will collect and upload the information to third-party marketing entities, so it has covered its bases. However, if personal information is being transmitted, it should never be in plaintext. No excuses.

Security companies are increasingly concerned about the amount of information being transmitted by mobile apps to advertiser networks. We regularly talk about leaky apps as part of Mobile Threat Monday. BitDefender's Clueful informs you when personal information is being shared, and viaForensics recently launched viaProtect, which lets you get an in-depth look at just exactly where you data is going.

But this is a really good example of just how much data can be collected and how it just spreads beyond one app. Players may think that the data is being used only for targeted ads within the game, but as is clear from this analysis, once the data is on Burstly's servers, it can be used by anyone, even outside the game. While FireEye focused on Angry Birds, it's a sure bet that other games and apps are using similar tactics to share user information. Remember, just because something is free doesn't mean you're not paying.

About the Author

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Inte... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.